News Stay informed about the latest enterprise technology news and product updates.

Researcher Matt Miller joins the Microsoft security team

Several years ago, the idea of hiring security researchers to work at large software companies was something of a novelty. Vendors such as Microsoft, Oracle Corp., IBM and others took a dim view of this, reasoning that there was no way to know whether someone who was prone to breaking their applications could be trusted in a corporate environment. This was a big topic of conversation in the industry, especially among the researchers, and there was a lot of back-and-forth on mailing lists and at a conferences about who was selling out and who was staying true.

Of course, that was all before security research became a mainstream profession, one at which guys like Dave Aitel, HD Moore, David Litchfield and others could make a legitimate living. And now, it seems that there are more researchers inside the belly of the beast than outside. Microsoft has been especially active in hiring researchers, and they’ve just struck again with the news that Matt Miller is joining the Microsoft Security Science team. Miller, also known as Skape, has been doing serious research on Windows exploitation for years and is a major contributor to Moore’s Metasploit Project, as well. Miller is also the author of WehnTrust, a host IPS.

Michael Howard, Microsoft’s resident security development lifecycle chief, announced Miller’s hiring in a blog post: “It’s wonderful to see us hiring more talent like Matt.”And I think he’s right on. I never understood the argument that hackers/researchers needed to stay independent (read: unemployed) in order to do good work. What better place to get a chance to attack the guts of Windows than Redmond? If you look around right now, some of the most innovative research is being done by researchers with corporate backing: Mark Dowd and Alex Sotirov’s Windows memory protection attacks, Billy Hoffman’s AJAX ninjitsu, Billy Rios and Nitesh Dhanjani’s phish poisoning, and Jose Nazario’s continued mastery of the botnet scene.

The idea is to hire the smartest people and let them tackle the hardest problems, right? With Miller’s hiring, you can put one more in the Redmond column.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This comment was submitted by Gene Spafford of Purdue University's CERIAS center: As a real security researcher it bothers me that people who focus on finding vulnerabilities in existing (usually weak) systems are given the same title. I will concede that there is some talent required to find some of the vulnerabilities that are exposed. However, that really isn't "security research" any more than finding a way to break in and steal the disks is "security research." Security research includes organized analysis, design, construction and derivation of more general principles. "Professional penetration tester" is a fair title, and one with honor and history going back many decades (although I suspect few of the current fraternity have actually studied the methods and discoveries of the pioneers in the field). My concern is that real security research -- into better protocols, architectures, forensics, formal models, and more -- is badly underfunded and poorly supported. Giving people the idea that finding exploits for flaws in systems that weren't really designed for security is "research" is likely to further divert resources away from efforts that could make a difference in the future. It is especially disappointing, in light of this particular post, to note that Microsoft is discontinuing their support of our (real) security research center -- because they could not find someone inside Microsoft Research who was willing to advocate internally that it was important. "Penetrate and patch" is probably important for many vendors and customers as long as overly-complex systems with little security design are dominant. Penetration testers and automated patching are part of that landscape. But it doesn't have to be that way, and real research can make a difference, if it is supported....and that is less likely if the majority of people think that "research" is primarily (or only) breaking systems.
I have read Professor Spafford’s response to this post and I find myself a bit puzzled. There appears to be three distinct themes in his response; a quibble about terminology, a rant about lack of funding and finally what appears to be a shot at Microsoft for discontinuing support (moral? financial?) for the “real” researchers at Purdue. This begs further discussion. Regardless of whether Mr. Miller and his ilk are called “security researchers” “professional penetration testers” “poseurs” or “felons” is irrelevant. What *is* relevant is that Mr. Miller and others like him have specific subject matter expertise that can be applied to various classes of *real* as opposed to theoretical security problems. Dan Kaminsky recently reported a major *design* flaw in DNS – by all accounts he did a tremendous amount of work and then took pains to have his work peer-reviewed and then worked responsibly with various groups (including US CERT, vendors and Paul Vixie) to craft a remediation. I fail to see where this differs markedly from the research process employed in “real” computer science and more pointedly, I note that the discovery did *not* come from the “real” security research community to which Professor Spafford belongs. Thus, the next issue that begs to be discussed is - if Professor Spafford is so offended with the “noms de guerre” of the legitimate hacker community who are focusing applied expertise on real world (i.e. DNS) problems what has the “real” security research community contributed of late? To be sure, there are pockets of brillance - exceedingly smart individuals in academia who are working on hard security problems – and producing great results (Dan Boneh at Stanford, Ed Felten at Princeton, and David Wagner at Berkeley come to mind). Given that, let us take it one step further – what DNS class flaw or other profoundly seminal work has Purdue contributed of late? Analysis of the Morris Worm, Dan/SATAN and Tripwire are all noted – and all old news. Yes, I know of Arxan, but I believe that was Professor Atallah. While Professor Spafford concedes that the role of “professional penetration tester” requires “some” talent, I expect that it is not lost on him that individuals like Mr. Miller are in business due in large part to the *failure* of the higher education system - form over function at all costs. While I know that Purdue and Professor Spafford cannot be held to account for the entire academic computer science research community, can we at least expect that all CS students from Purdue are so well versed in security that Mr. Miller, Mr. Kaminsky and others need not pay attention to the software they create or the systems they design? With regard to the comment that by Microsoft hiring Mr. Miller its “likely to further divert resources” this seems to be a specious argument – whether Microsoft, Apple or Victoria’s Secret hires individuals from this field is irrelevant. It is *not* the responsibility of corporations to fund academic research – that is the job of government. Simple economics and business practice dictate that money follows expertise – if Microsoft Research (or any other funding entity government or otherwise) can identify or derive value from the work done at Purdue, then expect a windfall. If not, then that may prompt some soul searching. In the meantime, expect others like the “false gods” of the security research community to cash in on your behalf.